Re: [Snort-users] Who doesn't care about virus rules, and why?
This is a discussion on Re: [Snort-users] Who doesn't care about virus rules, and why? within the Snort forums, part of the System Security and Security Related category; On Thu, 6 Nov 2003 09:01:15 -0600, "Schmehl, Paul L" <pauls@utdallas.edu> wrote: &...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-06-2003
|
|||
|
|||
Re: [Snort-users] Who doesn't care about virus rules, and why?
On Thu, 6 Nov 2003 09:01:15 -0600, "Schmehl, Paul L" <pauls@utdallas.edu>
wrote: >> -----Original Message----- >> From: snort-users-admin@lists.sourceforge.net=20 >> [mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of=20 >> kenw@kmsi.net >> Sent: Wednesday, November 05, 2003 9:45 PM >> To: snort-users@lists.sourceforge.net >> Subject: [Snort-users] Who doesn't care about virus rules, and why? >>=20 >> The header of virus.rules says: >>=20 >> ># NOTE: These rules are NOT being actively maintained. >> <snip> >> ># These rules are going away. We don't care about virus=20 >> rules anymore. >>=20 >> Who are "we", and what makes them think these rules aren't important? >>=20 >It's not that they aren't important. It's that no one seems to want to The quote was "We don't care about virus rules anymore." Seems fairly clear. >maintain them. Doing so requires a great deal of work, and there *are* >other, better methods of doing virus detection on a network. Care to name one that actually gives the IP address of the source of the attack? None that I'm familiar with do. >However, it might make sense to maintain a smaller collection of the >network aware worms, such as Bugbear (which is what is most likely >driving your customer's printers crazy), Funlove, Qaz, Lovgate, Sobig, >et. al. The problem is finding someone to do that. I'd volunteer, but >it's really hard for me to get samples (because of the protections we >have in place), and I really don't have the time to set up a private >network, infect a goat and capture its traffic so the signatures can be >done right. Neither do I. But I've already effectively volunteered to collect and redistribute contributions from others as time permits, and in the format of my own choosing. That's a whole lot better that doing nothing because we can't do it all. =46or a lot of computer geeks, we sure seem to have a problem with the concept of optimization sometimes... >Paul Schmehl (pauls@utdallas.edu) >Adjunct Information Security Officer >The University of Texas at Dallas >AVIEN Founding Member >http://www.utdallas.edu/~pauls/=20 /kenw Ken Wallewein CDP,CNE,MCSE,CCA,CCNA K&M Systems Integration Phone (403)274-7848 =46ax (403)275-4535 kenw@kmsi.net www.kmsi.net ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
